23.4.1 Configuration

The DWDT is used to prevent both secure and never secure system lock-up if the software becomes trapped in a deadlock. It is supplied with VDDCORE. It restarts with initial values on processor reset. It embeds two watchdogs:

  • NSWDT–Never Secure Watchdog
  • PSWDT–Programmable Secure Watchdog

Each watchdog is built around a 12-bit down counter, which is loaded with the value defined in the field PERIOD of the Window Level register (NS_WDT_WL or PS_WDT_WL). These registers use MD_SLCK divided by 128 to establish the maximum watchdog period to be 16 seconds (with a typical MD_SLCK of 32.768 kHz).

For each watchdog, the following parameters can be defined:

  • PERIOD (Watchdog Period)–Load value of the down counter. Once the down counter reaches 0, a watchdog event is generated. For the PSWDT, a watchdog event leads to either a secure interrupt (if PS_WDT_IMR.PERINT is set to '1') or a reset (if PS_WDT_MR.PERIODRST is set to '1'). For the NSWDT, a watchdog event leads to either a secure interrupt (if PS_WDT_IMR.NSPERINT is set to '1') and/or a never secure interrupt (if NS_WDT_IMR.PERINT is set to '1').
  • RPTH (Repeat Threshold)–A watchdog restart done before the repeat threshold is elapsed leads to a repeat violation. For the PSWDT, a repeat violation leads to either a secure interrupt (if PS_WDT_IMR.RPTHINT is set to '1') or a reset (if PS_WDT_MR.RPTHRST is set to '1'). For the NSWDT, a repeat violation leads to either a secure interrupt (if PS_WDT_IMR.NSRPTHINT is set to '1') or a never secure interrupt (if NS_WDT_IMR.RPTHINT is set to '1').
  • LVLTH (Interrupt Threshold)–Threshold after which an interrupt is generated. For the PSWDT, a repeat violation leads to a secure interrupt (if PS_WDT_IMR.LVLINT is set to '1'). For the NSWDT, a repeat violation leads to a never secure interrupt (if NS_WDT_IMR.LVLINT is set to '1').

After a processor reset, the value of PERIOD is 0xFFF, corresponding to the maximum value of the counter with the external reset generation enabled (field PERIODRST at 1 after a backup reset). This means that watchdogs are running at reset, i.e., at power-up. The user can either disable the WDT by setting bit PS_WDT_MR.WDDIS and/or NS_WDT_MR.WDDIS to '1' or reprogram the WDTs to meet the maximum watchdog period the application requires.

The NSWDT and the PSWDT embed securities to avoid programming out of range values. The following inequality must always be respected, otherwise the configuration is cancelled:

RPTH LVLTH < PERIOD

Moreover, the PSWDT has the possibility to control the range of operation of the NSWDT. It can limit the period, the repeat threshold and the interrupt level of the NSWDT by programming NS_WDT_LVLLIM, NS_WDT_RLIM and NS_WDT_PLIM.